On Wed, Feb 17, 2010 at 11:28 PM, Johan Beisser <j...@caustic.org> wrote: > On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin <jasonbeaud...@gmail.com> > wrote: >> From a compliance perspective, I don't have much choice. From the >> costs, infrastructure, and administrative perspectives, I am currently >> evaluating whether or not I should be leaning towards and IDS or IPS >> solution, and of course which system/vendor. My understanding is that >> something like snort requires a fair bit of maintenance and >> IT-attention, the trade-off being cost, so I am leaning away from >> this. Between detection and prevention, preventing break-ins seems a >> bit sillier than trying to actively monitor what's going on and to >> then look for threats, so this pushes me more towards IDS over IPS. > > I agree with you. High rates of false positives, but fairly low rates > of false negatives. Once the care and feeding is taken care of > (turning off everything and gradually fine tuning to your current > traffic helps), they're useful for alerting against unusual traffic > leaving your network; not so much against automated attacks coming in > the network. My own deployments are specifically to monitor for odd > outbound traffic from my office. It's a rapid way to find out about > the latest trojan, worm, or other infection my users have brought in > on their laptops.
Indeed, this is why IDS makes more sense to me, and I am glad to see this confirmed/validated by others here. So I guess this is now just a question of setting up snort versus a commercial solution. > That said, the usefulness of an IDP is specifically preventing most > automated and known attacks from passing in to your network. By using > one of the commercial systems, you gain support, tuning, and the fact > that you don't have to spend as much time with the care and feeding or > writing/testing new rulesets against your current version. This is the difficult place I'm in.. to me, the commercial solution means I have someone else looking at and dealing with all of the false positives, which is something that I won't kid myself on - I don't know if I even have the time to be the fine tuning machine.. then again the cost is just plain silly when compared with a snort/bsd setup. Are there any good open source alternatives to Snort that are worth considering here? > As a compliance feature, I've found most administrators put them in > place and promptly turn the reporting off due to the high rate of > false positives reducing the signal from the noise. > > jb > right, which is just silly and a waste of everyone's time. thanks for sharing.. ~Jason